If you are considering studying the art of software reverseengineering, then this guide below is for you. I'll try to outlinehere everything you need to know and do (of course this is byno means an exhaustive list or guarantee that you'll become areversing god overnight but it might just get you started in awhole new world). If you are at all serious then you should takeheed and the time to download all of my recommended materials,all the time you invest learning now will serve you well in thefuture. It will also be worth your while to visit some of theother sites I've [You must be registered and logged in to see this link.] too on the web.After reading this document and attempting the 2 small sampleprograms I've made available you'll know whether or not this reallyis the art for you.

What is Reverse Engineering (precisely)?

Software reverse engineering is the art and process of understandingthe intricacies of your own and commercial software at a lowerlevel than the compiler, a fuller definition can be found [You must be registered and logged in to see this link.].Many reversers focus initially on the various protection schemesused by software writers to disable or otherwise prohibit thefull use of their software since this is a convenient (if somewhatlegally dubious) starting point with a definite challenge andend point. I personally however have used the knowledge I havegained through 'reversing' to :

Sometimes reverse engineering can be the only way out of adevelopment tight spot, however it is not a decision to be takenlightly.

Reverse Engineering is NOT cracking per se, although it issometimes difficult to draw the fine line between them in theearly stages. Most reversers deplore the tens of thousands ofwarez sites that waste good server space on the web (you probablyknow them already). If you are looking for easy cracks, key generatorsor just serial numbers lists then this site and reverse engineeringwill NOT be for you, even though this information can be obtainedwith fairly minimal effort I expect most warez aficionados willnot find themselves reading this in the first place and certainlywon't have a clue how to code, assemble and link a key generator,let alone spend hours upon end studying assembly routines.

By learning to reverse engineer yourself, you are gaining aset of valuable and marketable skills (malware analysis, intellectualproperty rights management and anti-virus / vulnerability researchare booming industries), thus distinguishing yourself from themany losers who would rather waste their time searching throughpages of bloated graphics and commercial porn sponsors than learninganything themselves. You'll also find (over a period of time)that your reversing efforts will become less focused on protectionschemes and that your interest will move away from simple protectioncracking, who knows, perhaps a job in hostile code analysis beckons.....

What do I need to know / learn?

To learn reverse engineering from scratch you will probablyneed to spend a significant amount of time enhancing your lowlevel knowledge, don't think you can crack any target you fancyby just learning ad nauseam simple techniques. A familiarity withthe x86 architecture and instruction set is essential, an awarenessof the 6 basic digital logic circuits (binary) will also be useful(AND/OR (inclusive), NOT, NAND, NOR & exclusive OR (XOR)).

I recommend the following reading resources :-

Artof Assembly Language :- A 25 chapter PDF guide to virtuallyeverything you might ever want to know about x86 processors. Thesedocuments are very complete yet reading them all will probablytake you in excess of a few years so read just the first few chaptersand keep the rest like Chapter 14 on the FPU for reference purposesas you improve / require.

[You must be registered and logged in to see this link.]:- A 220k quick and convenient DOS instruction viewing programfrom 1991. If you've forgotten a particular assembler commandor need to quickly look up how many clocks a particular instructiontakes, then this is the guide for you (it is somewhat dated though).

[You must be registered and logged in to see this link.]:- A great site with literally tons of useful resources. Downloadeverything there :-). If you want to really 'get into' windowsassembly language programming there isn't much better for freethan Iczelion's tutorials.

IntelDeveloper Manuals :- Anything you ever wanted to know aboutthe nitty-gritty internals of your x86. I recommend Volume 3 (SystemProgramming). I have been told recently that the previous linkdoes not lead to all 3 manuals, you might like to try thislink instead. You could also search for 386intel.txt for agood overview. Update 2004 : I believe now the Developer manualsnow stretch to 4 guides, either way you shouldn't have much problemfinding them.

Mammon_'s Tales to his Grandson& Mammon_'s coming to the Iceage :- 2 definitive guidesto configuring your SoftICE and synopses of the main 3 disassemblersby one of the very best reverse engineers out there (25k). Mammon_abandoned the Windows scene a considerable amount of years ago,an eccentric and enigmatic character, his website still makesfor fascinating reading.

[You must be registered and logged in to see this link.]:- Dr Paul Carter's free introduction to assembly language (32-bit)using NASM (since its free), taught previously as a universitycourse. Recommended.

RalphBrowns Interrupt List :- A maintained list of all DOS BIOS/InterruptServices, most of the time you'll be looking for subfunctionsof INT 10/13/21. Invaluable for older 16-bit programs or codingyour own graphics demos / key generators (even understanding oldvirii). Somewhat dated now thus I've changed my recommendationfrom learning this to keeping it just for reference.

Getting and Setting up yourTools

*Updated 2007* : CompuWare have now officially ceased all developmentupon SoftICE as a product, those of us who watch the scene closelycould see this coming for sometime, the text below I leave nowas a dedication to the past. Farewell.

Any reverser will tell you that you will only ever be as goodas the tools you use and the competency with which you use andcustomise them. Your best weapons are your tools, invest the timelearning how to use them. I suggest you obtain at the minimumthe following (either download them from my [You must be registered and logged in to see this link.]page (if the links are even working) or locate them around theweb using various [You must be registered and logged in to see this link.]techniques).

- A Windows (preferably protected-mode) Debugger - The standardtool in this category is NuMega's SoftICE which can trace justabout anything, you will not break some protections without it.Download the versions relevant to the platform you plan to investigate,better still download every version you can. Pre-2000 most ofmy guides use v3.2x/v4.0x for Windows 98. Pay a regular visitalso to CompuWare's (formerlyNuMega's) web site to keep informed of any new developments,these guys really know how to produce useful tools (need I alsomention BoundsChecker & SmartCheck). Its also worth huntingdown the various homepages and articles by (ex & current)NuMega developers, need I mention MattPietrek & John Robbins ;-).

* Theadvent of more recent Microsoft OS's (Windows 2000, XP) &CompuWare's acquisition of NuMega requires that you now sourceSoftICE as part of a CompuWare package; in fact I've heard thatCompuWare won't even sell legitimate developers SoftICE standaloneany longer.

The sale of NuMega to CompuWare also seems to have contributedto a major decline in quality control, many users have reportedsignificant problems with SoftICE under the newer OS's, most ofthese relate to breakpoints not behaving as they should. Thereare some workarounds and custom patches, which you might findon the [You must be registered and logged in to see this link.](use the search facility), a lot of reversers however have givenup trying to get SoftICE to behave reliably and have resortedinstead to using the capable ring 3 debugger [You must be registered and logged in to see this link.].This has also the added capacity to work under VMWare which seemsto be all the rage right now.

SoftICE symbols

Getting debug symbols loaded into SoftICE can be a challengeto say the least, before attempting to do so, make sure that youdownload and install the latest 'Debugging Tools for Windows'from Microsoft. Next replace all copies of symsrv.dll & dbghelp.dllinstalled by DriverStudio with those from the Debugging Toolsfolder, if I remember rightly the DriverStudio root directory,the SoftICE root directory and the SymbolRetriever subdirectoryall have copies of those files that need to be replaced. Alsobe sure that your 'Path to NMS' is set to a directory that exists.

SoftICE under VMWare

This advice from my good friend nc. If you browse to your VMdirectory on the hard disk and open the config file in a texteditor (.vmx file), add the following lines to the config file:

vmmouse.present = FALSEsvga.maxFullscreenRefreshTick = 5

If you want to verify that SoftICE is working correctly, trythe following advice that I shamelessly borrowed from Kayaker.

"If you break at the start of a program with the SoftICEloader (assuming you can), and set a breakpoint say a few linesdown, either on an address or an API call - does SoftICE break?It should. Make sure you set your bp *while in the context* ofthe application you want to break into. This is irrespective ofthe ADDR command, which you shouldn't have to use since you'realready in the correct context. In other words, don't expect tobe able to just change the context with ADDR from the desktopand have a reliable bp set. If you do, you also need to specifythe CS: portion of the address else you'll set up a bp with thewrong code segment. If all else fails, you could try BPM x breakpoints,they can be more reliable than BPX bp's for "sticking".However, they especially should be set while *in* the contextof the app.

This small table should provide you with a means to identifywhich version of SoftICE you have installed on your system.

As SoftICE is virtually every reversers choice of debugger,some of the more intelligent protections will use varioustechniques to detect its presence. More likely than not youcan find a way around most of these yet in certain cases e.g.Hardlock's wrapper and VBox, you'll need to identify preciselythe trick before you can work around it, Hardlock is particularlynasty because after disabling the CreateFileA detection you'llwind up with a frozen computer. In said circumstances an alternativedebugger can be very useful, such possibilities include Borland'sTurbo Debugger (included with TASM & BC++), Microsoft's WinDbgand LiuTaoTao's superb TRW, you know where to look for these :-).

[You must be registered and logged in to see this link.] is now highlyrecommended as the best alternative if your system simply won'ttake to SoftICE.

- A Disassembler - There are probably 2 main choices for thiscategory, the quicker but less technical W32Dasmv8.9x from URSoftware and the slower more advanced IntelligentDisassembler Pro from DataRescue. The differences between these 2 are immense, howeverfor instances where you need a quick 'dumb deadlisting' W32Dasmmay suffice, serious analysis and analysts however choose IDA.If you have a few spare moments you might also care to investigatesome of the older disassemblers such as [You must be registered and logged in to see this link.](more for DOS) and WCB for Windows 3.1 although these are largelyobsolete. The choice between the main 2 here is really a questionof personal preference. Visual Basic v3 and v4 decompilers arealso available, although I've never had a great deal of luck withthe VB4 edition. For VB5 & VB6 there exists now a p-code debuggercourtesy of the WKT team.

If you are really interested in disassemblers then you shouldcheck out dsassm02e, a Win32 disassembler written by a South Koreanprofessor, visit his homepage [You must be registered and logged in to see this link.]and download the program with full C source code. Web searchersmight like to try looking for material written by Australian ChristinaCiffuentes, especially her thesis on decompiling to recover sourcecode.

- A HEX Editor - In this category there at least a dozen choices,most reversers will however develop their favourite, mine beingDOS Hiew. Conventional search engines (e.g. the Simtel archive)will find at least 30 HEX editors (some better than others), ofthe many out there in the woods the following seem to be popularwith reversers. [You must be registered and logged in to see this link.],[You must be registered and logged in to see this link.],[You must be registered and logged in to see this link.] (* note HEdit appearsnow to be unsupported) you should of course learn how to reverseyour tools first)).

- Our Tools - Progress is constantly being made in this area(although it is sporadic), this section is probably out of dateseveral weeks after I write it. Retrospectively, arguably the2 best developments have been [You must be registered and logged in to see this link.]by The Owl et al & [You must be registered and logged in to see this link.]courtesy of G-RoM & Stone (now integrated into IceDump). Manyother tools have also made an appearance, for example r!sc hasdone some very good work in the unpacking and CD protection fields,others have contributed with unpackers for specific packers (checkout the Unpacking Gods webpage if you can) & Tsehp has contributed[You must be registered and logged in to see this link.].

The games scene has also pushed forward the boundaries of ourtools, an entire scene is now built around in-memory patching(or 'training') courtesy of Stone and others delving inside theWin32 debug API. In late 1999 Stone's Webnote (a very interestingcollection of his own exploits) disappeared from the web, forpersonal reasons he is reluctant to ever re-upload it, a decisionyou might not agree with but should respect, a final archive ofsome of the very interesting material on his site can be found[You must be registered and logged in to see this link.] (1.08Mb's, 1,141,940 bytes).

- Support Tools, room must also be found in any reversers toolboxfor the following tools :-

Indeed, there is such a thing as the above. When starting outyou should probably adhere closely to these pieces of advice elseyou might make some very nasty enemies (this applies mainly toIRC and message boards).

i) DON'T the first time you join one of these forums issuelong lists of requests for tools, specifically SoftICE and IDA.At best you'll be politely told to "learn how to search"and at worst you'll be flamed out of existence, not a great wayto make friends in this world. However, there are ways and meansof obtaining said tools, public forums being not the place. Iknow that many reversers in private will help you obtain whatyou need, yet you'll need to develop some skills identifying thosethat might help and those that will never.

ii) When you've actually cracked a few programs it is veryeasy to become aloof and maybe somewhat egotistical, I know thisto my cost because I've been there and done it too. As a generalrule, its best never to boast or be cocky, trust me someone outthere knows more than you & will eventually shoot you downin flames no matter how clever you think you are ;-), you aren'tcompelled to reply to 'lamer requests' so maintaining a respectfulsilence is often 10x more effective. No-one on a message boardappreciates a reply to a request for help along the lines of "man,you must be stupid, I cracked that in 5 minutes", real helprather than ridicule is the order of the day.

iii) Joining warez groups is a matter for your own consciences,I would guess 50% of the community deplores such groups and 50%tolerates them, I'm one of the tolerant group because you maybe able to obtain some very interesting specific targets fromthese sources, naturally I wouldn't dream of cracking these targetsor making them available for the losers to download for free ofcourse. If you are offered hardware incentives to crack for anygroup you should turn it down immediately (unless of course youhave a very secure place to send it).

iv) If you should encounter me on IRC not following my ownrules be sure to tell me I'm a hypocrite ;-). The reversing communityis much like any other, "do unto others as you would havethem do unto you", apply basic common sense and you won'tgo far wrong.

Other Resources

Download the documentation for SoftICE and please do read it,else read this (something I shamelessly borrowed from a ProgrammingFAQ) :-

One day a Novice came to the Master."Master," he said, "How is it that I may becomea Writer of Programs?".The Master looked solemnly at the Novice."Have you in your possession a Compiler of Source Code?"the Master asked."No," replied the Novice. The Master sent the Noviceon a quest to the Store of Software.

Many hours later the Novice returned."Master," he said, "How is it that I may becomea Writer of Programs?".The Master looked solemnly at the Novice."Have you in your possession a Compiler of Source Code?"the Master asked."Yes," replied the Novice.The Master frowned at the Novice."You have a Compiler of Source. What now can prevent youfrom becoming a Writer of Programs?".The Novice fidgeted nervously and presented his Compiler of Sourceto the Master."How is this used?" asked the Novice."Have you in your possession a Manual of Operation?"the Master asked."No," replied the Novice.The Master instructed the Novice as to where he could find theManual of Operation.

Many days later the Novice returned."Master," he said, "How is it that I may becomea Writer of Programs?".The Master looked solemnly at the Novice."Have you in your possession a Compiler of Source Code?"the Master asked."Yes," replied the Novice."Have you in your possession a Manual of Operation?"the Master asked."Yes," replied the Novice.The Master frowned at the Novice."You have a Compiler of Source, and a Manual of Operation.What now can prevent you from becoming a Writer of Programs?".

At this the Novice fidgeted nervously and presentedhis Manual of Operations to the Master."How is this used?" asked the Novice.The Master closed his eyes, and heaved a great sigh.The Master sent the Novice on a quest to the School of Elementary.

Many years later the Novice returned."Master," he said, "How is it that I may becomea Writer of Programs?".The Master looked solemnly at the Novice."Have you in your possession a Compiler of Source Code, aManual of Operation and an Education of Elementary?" theMaster asked."Yes," replied the Novice.The Master frowned at the Novice."What then can prevent you from becoming a Writer of Programs?".

The Novice fidgeted nervously. He looked aroundbut could find nothing to present to the Master.The Master smiled at the Novice."I see what problem plagues you." said the Master."Oh great master, please tell me." asked the Novice.

The Master turned the Novice toward the door, andwith a supportive hand on his shoulder said, "Go young Novice,and Read The Fucking Manual." And so the Novice became enlightened.

Both the Command Reference and Users Manual used to be availableat NuMega's [You must be registered and logged in to see this link.]but now ship by default with the installations. There are manytutorials on how to use and customise SoftICE, including minewhich forms part of the 1st tutorial. The most common problemswith SoftICE relate to the configuration file winice.dat, downloadMammon_'s superb guide on all aspects of SoftICE configuration(linked above).

Whilst at Greythorne's site (check out his new Security Nexustoo), download all of the +ORCteachings which have the added advantage of including therelevant files, you will also find some useful ASM and other snippets(e.g. gij's tutorials). Even though the +ORC programs are fairlyold, read the texts very carefully indeed, I have found them usefulon many occasions. If you already have some Windows programmingknowledge then you will most likely already possess a Windows32 API guide, otherwise locate the pertinent help file and downloadit (all C compilers that I know of carry the guide).

Protections

As a reverse engineer you will encounter several protectioniststrategies, a brief appraisal of the most common schemes are listedbelow.

1. Serial Number/Password protections - These type of schemesare ubiquitous, just look around the web at the serial numberlists and key generators available for losers. Usually the protectionof choice for cheaper software, you'll usually find only variationsupon very simple schemes, maybe some interesting mathematicalmanipulations, however you should not dismiss programs using theseschemes, some such as ACDSee or WinRAR will prove more than enoughchallenge to the casual reverser.

Recently several serial number schemes have been based on RSApublic/private key encryption (ADC v1.2+, IDA v4.x, Hiew, TheBat! to name but a few), so beware of the target requesting justa serial number. I've heard only of several examples of RSA factoring,the maximum key length being 512-bit, I recommend Ghiri's RSAtutorial on Hiew and also the MIRACLmaths libraries for factoring sometime this year. RSA of courseis crackable, you could for example simply replace the key witha known quantity :-), often using 1 as the decryption exponentwill be satisfactory. An increasing number of serial number schemesare using good off the shelf encryption algorithms, ask aroundfor known targets or check out how the algorithms look when compiled.

2. Time trials - With the explosion in magazine cover CD-ROM's,30 day trials or 'cinderellas' are also common, although Microsoftprefers to allow you 60 or even 90 days to try their software.Time trials are also fairly easy because the amount of tricksa programmer can use is so limited, remember also that in mostcases you will have the opportunity to study such a scheme beforeyour time has elapsed. On smaller software be aware that the authorsoften change the version fairly regularly so reversing a 30-daytrial may not even be necessary.

3. Function Disabled - These are becoming less common now,a program author will lock out certain operations (most commonlySave and Print) allowing you to trial his crippled software. Inmarketing terms disabled software is less likely to encouragepotential buyers to try the software, who will spend 2hrs constructinga work of art which cannot be saved.

Disabled software can be either easily reversed or virtuallyunreversable depending on whether the program author just lockedout the functionality or removed the code altogether, more recentlyI've seen instances of where reversers have actually added backin the relevant saving code as required although this will dependon how much you know about the missing functionality and whetheryou have the technical information / skills to add it back in.In most cases (like the Adobe trials) your going to need advancedknowledge of the file format and I have my doubts as to whetherits practical to invest the time without referring to the widelyavailable full version.

4. Commercial protection schemes - Now becoming more commonas the capitalists seek to market web-ready software, you'll almostcertainly run into SalesAgent from Release Software & VBoxv4.x from Preview Systems, the latter is a pathetic protectionwhich will require no more than 30 seconds SoftICE work, the formeris somewhat trickier. Packers such as ASPack, Petite, Shrinkerare also becoming more common, but you'll need to read more aboutthese elsewhere (see the newly added 6. section).

5. Hardware/Dongle Protections - Termed as hardware protection,a dongle is a small device that is usually connected to the parallelport of the computer (serial & USB devices also exist). Thestrength of any dongle protection will be influenced a lot bythe quality of the implementation, a lot of them are fairly weak.If you have the actual dongle then reversing it will obviouslybe a lot easier as you can just examine the relevant INs and OUTs.

As with any protection, information is power so always identifywhat flavour of dongle you are dealing with and visit the relevantmanufacturers web sites, often you'll be able to download fullAPI sources. In some instances, if you do not have the dongleyou may have to pray, although no dongle is unreversable, someof the wrappers incorporate sophisticated and unreversable encryption,anti-SoftICE tricks and self-modifying code, so in some casesyou would be well-advised to leave the dongle code as it is andpatch the application side. The 2 most common dongles are HASP& Sentinel, if you are serious about the dongle game, visitmy dedicated [You must be registered and logged in to see this link.] page.

6. Packers - [You must be registered and logged in to see this link.] isnow very common and is typically marketed more as a code obfuscationtool rather than a protection in its own right (although somedo incorporate their own license schemes). The classic symptomsof encountering a packer, either the packers debugger detectionlets you know ("Debugger detected" "Please unloadyour debugger" etc, etc) or you load the file into a disassemblerand see nothing but junk and a program entry point somewhere otherthan the first code section. A packer generally works by compressingthe programs main code and attaching a loading stub, at runtimethe stub decompresses the program and runs it, this is a completeoversimplification of an entire protection field, however it willsuffice for now. I suggest you download PEIdv0.92 (2004 version) if you want to check quickly a targetfor a known packer and then search for various unpacking programsfor a quick fix; of course you could do it manually but will needto improve your skills considerably before doing so.

Patchers / How to Patch

Although I disagree with the concept of making ready-made patchesfor software I recognise that in certain circumstances it canbe beneficial for reversers to publish examples of their work.Pages which just distribute lamer cracks are wasted space, hencewhy I mostly avoid including a patch file leaving you to probeon your own. Anyhow, this inevitably raises the question of whetheryou should use 1 of the existing patching engines or code yourown.

For ease of use I recommend Jes's GPatch (tutorial includedin the ready to start tutorial), which generates 4-5k COM files.You may like to examine the source code to a very quick C patcherwhich I wrote fairly hastily, cranking up the compiler optionsmay well reduce the file size, or you may like to calibrate pitty'svery good C++ patcher. Pascal guru's (I am not one) may like touse/modify MisterE's Pascal patcher, you can download all thepertinent source codes [You must be registered and logged in to see this link.] (31k).There are many other patchers available, those written in ASMusually produce the smallest file size, although with the sizeof modern day HD clusters I doubt this is a real consideration.

Windows patchers and patch generators are also available, [You must be registered and logged in to see this link.] and WinPatch are2 that I know of and which are used by some fairly high profilesoftware companies, many of the scene groups have their own sophisticatedpatchers these days. For those of you who insist on complete optimisationI recommend PCOM (Private COMpiler), although you might have toinvest a little time getting to know it.

Ready to Start?

Well, if you've downloaded all of the tools and documentationI recommended and perhaps invested a few days internally digestingall that information, then you might be ready to attempt yourfirst and second projects, see the link below, after attemptingthese examples you might find some more in the [You must be registered and logged in to see this link.]section.